816 resultados para Information security
Resumo:
La formación y preparación constante del personal de TI es una de las estrategias más efectivas para mejorar la calidad, estabilidad y seguridad de las redes y servicios asociados. En esta línea, el CEDIA ha venido implementando cursos y talleres de capacitación dirigidos a sus miembros y, dentro del CSIRT-CEDIA, se ha pensado en la posibilidad de optimizar los procesos asociados al despliegue de la infraestructura necesaria para proveer a los participantes de éstas capacitaciones, con el material personalizado adecuado, en las áreas de seguridad informática. Es así que se decidió usar técnicas de virtualización para aprovechar los recursos disponibles, pero aun cuando esto en sí no es una tendencia nueva, el uso de una copia completa del disco virtual para cada participante, no sólo resulta impráctico en cuestión de tiempo, sino también en cuanto al consumo de almacenamiento necesario. Este trabajo se orienta justamente a la optimización en los tiempos y consumos asociados a los procesos de replicación de un mismo equipo y disco virtuales para uso particularizado de varios participantes.
Resumo:
The information technology - IT- benefits have been more perceived during the last decades. Both IT and business managers are dealing with subjects like governance, IT-Business alignment, information security and others on their top priorities. Talking about governance, specifically, managers are facing it with a technical approach, that gives emphasis on protection against invasions, antivirus systems, access controls and others technical issues. The IT risk management, commonly, is faced under this approach, that means, has its importance reduced and delegated to IT Departments. On the last two decades, a new IT risk management perspective raised, bringing an holistic view of IT risk to the organization. According to this new perspective, the strategies formulation process should take into account the IT risks. With the growing of IT dependence on most of organizations, the necessity of a better comprehension about the subject becomes more clear. This work shows a study in three public organizations of the Pernambuco State that investigates how those organizations manage their IT risks. Structured interviews were made with IT managers, and later, analyzed and compared with conceptual categories found in the literature. The results shows that the IT risks culture and IT governance are weakly understood and implemented on those organizations, where there are not such an IT risk methodology formally defined, neither executed. In addition, most of practices suggested in the literature were found, even without an alignment with an IT risks management process
Resumo:
This study examines the factors that influence public managers in the adoption of advanced practices related to Information Security Management. This research used, as the basis of assertions, Security Standard ISO 27001:2005 and theoretical model based on TAM (Technology Acceptance Model) from Venkatesh and Davis (2000). The method adopted was field research of national scope with participation of eighty public administrators from states of Brazil, all of them managers and planners of state governments. The approach was quantitative and research methods were descriptive statistics, factor analysis and multiple linear regression for data analysis. The survey results showed correlation between the constructs of the TAM model (ease of use, perceptions of value, attitude and intention to use) and agreement with the assertions made in accordance with ISO 27001, showing that these factors influence the managers in adoption of such practices. On the other independent variables of the model (organizational profile, demographic profile and managers behavior) no significant correlation was identified with the assertions of the same standard, witch means the need for expansion researches using such constructs. It is hoped that this study may contribute positively to the progress on discussions about Information Security Management, Adoption of Safety Standards and Technology Acceptance Model
Resumo:
The text analyses the intelligence activity against Poland in the period 1944-1989. The paper also contains a case study, i.e. an analysis of the American intelligence service activity held against Poland. While examining the research thesis, the author used the documents and analyses prepared by the Ministry of Internal Affairs. In order to best illustrate the point, the author presented a number of cases of persons who spied for the USA, which was possible thanks to the analysis of the training materials of the Ministry of Internal Affairs directed to the officers of the Security Service and the Citizens’ Militia. The text tackles the following issues: (1) to what extent did the character of the socio-political system influence the number of persons convicted for espionage against Poland in the period under examination?, (2) what was the level of interest of the foreign intelligence services in Poland before the year 1990?, (3) is it possible to indicate the specificity of the U.S. intelligence activity against Poland? 1) The analysis of data indicates that the period 1946-1956 witnessed a great number of convictions for espionage, which is often associated with the peculiar political situation in Poland of that time. Up to 1953, the countries of the Eastern bloc had reproduced the Stalin’s system, which only ceased due to the death of Stalin himself. Since then, the communist systems gradually transformed into the system of nomenklatura. Irrespective of these changes, Poland still witnessed a wave of repressions, which resulted from the threats continuously looming over the communist authorities – combating the anti-communist underground movement, fighting with the Ukrainian Insurgent Army, the Polish government-in-exile, possible revisionism of borders, social discontent related to the socio-political reforms. Hence, a great number of convictions for espionage at that time could be ascribed to purely political sentences. Moreover, equally significant was the fact that the then judicial practice was preoccupied assessing negatively any contacts and relations with foreigners. This excessive number of convictions could ensue from other criminal-law provisions, which applied with respect to the crimes against the State, including espionage. What is also important is the fact that in the Stalin’s period the judiciary personnel acquired their skills and qualifications through intensive courses in law with the predominant spirit of the theory of evidence and law by Andrey Vyshinsky. Additionally, by the decree of 1944 the Penal Code of the Polish Armed Forces was introduced; the code envisaged the increase in the number of offences classified as penalised with death penalty, whereas the high treason was subject to the military jurisdiction (the civilians were prosecuted in military courts till 1955; the espionage, however, still stood under the military jurisdiction). In 1946, there was introduced the Decree on particularly dangerous crimes in the period of the State’s recovery, which was later called a Small Penal Code. 2) The interest that foreign intelligence services expressed in relation to Poland was similar to the one they had in all countries of Eastern and Central Europe. In the case of Poland, it should be noted that foreign intelligence services recruited Polish citizens who had previously stayed abroad and after WWII returned to their home country. The services also gathered information from Poles staying in immigrant camps (e.g. in FRG). The activity of the American intelligence service on the territory of FRG and West Berlin played a key role. The documents of the Ministry of Internal Affairs pointed to the global range of this activity, e.g. through the recruitment of Polish sailors in the ports of the Netherlands, Japan, etc. In line with the development in the 1970s, espionage, which had so far concentrated on the defence and strategic sectors, became focused on science and technology of the People’s Republic of Poland. The acquisition of collaborators in academic circles was much easier, as PRL opened to academic exchange. Due to the system of visas, the process of candidate selection for intelligence services (e.g. the American) began in embassies. In the 1980s, the activity of the foreign intelligence services concentrated on the specific political situation in Poland, i.e. the growing significance of the “Solidarity” social movement. 3) The specificity of the American intelligence activity against Poland was related to the composition of the residency staff, which was the largest in comparison to other Western countries. The wide range of these activities can be proved by the quantitative data of convictions for espionage in the years 1944-1984 (however, one has to bear in mind the factors mentioned earlier in the text, which led to the misinterpretation of these data). Analysing the data and the documents prepared by the Ministry of Internal Affairs, one should treat them with caution, as, frequently, the Polish counter-intelligence service used to classify the ordinary diplomatic practice and any contacts with foreigners as espionage threats. It is clearly visible in the language of the training materials concerned with “secret service methods of the intelligence activity” as well as in the documents on operational activities of the Security Service in relation to foreigners. The level of interest the USA had in Poland was mirrored in the classification of diplomatic posts, according to which Warsaw occupied the second place (the so-called Group “B”) on the three-point scale. The CIA experienced spectacular defeats during their activity in Poland: supporting the Polish underground anti-communist organisation Freedom and Independence and the so-called Munich-Berg episode (both cases took place in the 1950s). The text focuses only on selected issues related to the espionage activities against Poland. Similarly, the analysis of the problem has been based on selected sources, which has limited the research scope - however, it was not the aim of the author to present the espionage activity against Poland in a comprehensive way. In order to assess the real threat posed by the espionage activity, one should analyse the case of persons convicted for espionage in the period 1944-1989, as the available quantitative data, mentioned in the text, cannot constitute an explicit benchmark for the scale of espionage activity. The inaccuracies in the interpretation of data and variables, which can affect the evaluation of this phenomenon, have been pointed out in the text.
Resumo:
A new emerging paradigm of Uncertain Risk of Suspicion, Threat and Danger, observed across the field of information security, is described. Based on this paradigm a novel approach to anomaly detection is presented. Our approach is based on a simple yet powerful analogy from the innate part of the human immune system, the Toll-Like Receptors. We argue that such receptors incorporated as part of an anomaly detector enhance the detector’s ability to distinguish normal and anomalous behaviour. In addition we propose that Toll-Like Receptors enable the classification of detected anomalies based on the types of attacks that perpetrate the anomalous behaviour. Classification of such type is either missing in existing literature or is not fit for the purpose of reducing the burden of an administrator of an intrusion detection system. For our model to work, we propose the creation of a taxonomy of the digital Acytota, based on which our receptors are created.
Resumo:
No desenvolvimento deste Trabalho de Investigação Aplicada, pretende-se responder à questão: Quais os requisitos necessários a implementar numa base de dados relacional de controlos de segurança da informação para Unidades, Estabelecimentos ou Órgãos militares do Exército Português? Deste modo, para se responder a esta questão central, houve necessidade de subdividir esta em quatro questões derivadas, sendo elas: 1. Quais as principais dimensões de segurança da informação ao nível organizacional? 2. Quais as principais categorias de segurança da informação ao nível organizacional? 3. Quais os principais controlos de segurança da informação a implementar numa organização militar? 4. Quais os requisitos funcionais necessários a implementar numa base de dados de controlos de segurança da informação a implementar numa organização militar? Para responder a estas questões de investigação, este trabalho assenta numa investigação aplicada, com o objetivo de desenvolver uma aplicação prática para os conhecimentos adquiridos, materializando-se assim numa base de dados. Ainda, quanto ao objetivo da investigação, este é descritivo, explicativo e exploratório, uma vez que, tem o objetivo de descrever as principais dimensões, categorias e controlos da segurança da informação, assim como o objetivo de explicar quais são os requisitos funcionais necessários a implementar numa base de dados de controlos de segurança da informação. Por último, tem ainda o objetivo de efetuar um estudo exploratório, comprovando a eficácia da base de dados. Esta investigação assenta no método indutivo, partindo de premissas particulares para chegar a conclusões gerais, isto é, a partir de análise de documentos e de inquéritos por entrevista, identificar-se-ão quais são os requisitos funcionais necessários a implementar, generalizando para todas as Unidades, Estabelecimentos ou Órgãos militares do Exército Português. No que corresponde ao método de procedimentos, usar-se-á o método comparativo, com vista a identificar qual é a norma internacional de gestão de segurança de informação mais indicada a registar na base de dados. Por último, como referido anteriormente, no que concerne às técnicas de investigação, será usado o inquérito por entrevista, identificando os requisitos necessários a implementar, e a análise de documentos, identificando as principais dimensões, categoriasou controlos necessários a implementar numa base de dados de controlos de segurança da informação. Posto isto, numa primeira fase da investigação, através da análise de documentos, percecionam-se as principais dimensões, categorias e controlos de segurança da informação necessários a aplicar nas Unidades, Estabelecimentos ou Órgãos militares do Exército Português, por forma a contribuir para o sucesso na gestão da segurança da informação militar. Ainda, através de entrevistas a especialistas da área de segurança da informação e dos Sistemas de Informação nas unidades militares, identificar-se-ão quais os requisitos funcionais necessários a implementar numa base de dados de controlos de segurança da informação a implementar numa organização militar. Por último, numa segunda fase, através do modelo de desenvolvimento de software em cascata revisto, pretende-se desenvolver uma base de dados relacional, em Microsoft Access, de controlos de segurança da Informação a fim de implementar em Unidades, Estabelecimentos ou Órgãos militares do Exército Português. Posteriormente, após o desenvolvimento da base de dados, pretende-se efetuar um estudo exploratório com vista a validar a mesma, de modo a comprovar se esta responde às necessidades para a qual foi desenvolvida.
Resumo:
O presente trabalho de investigação aplicada tem como titulo “Processo de Awareness dos Utilizadores nas Redes Militares”, com o intuito de “identificar a forma mais eficiente e eficaz de efetuar um design de um processo de awareness de forma a sensibilizar os utilizadores do sistema de e-mail do Exército para os ataques de phishing” que é o objetivo desta investigação. Por este motivo, de início foram selecionados objetivos específicos que remetem para este principal. Foi definido que precisamos de conhecer as principais teorias comportamentais que influenciam o sucesso dos ataques de phishing, de forma a perceber e combater estes mesmos. Foi, também, necessário perceber quais os principais métodos ou técnicas de ensino de atitudes, para possibilitar a sensibilização dos utilizadores, como também era necessário definir o meio de awareness para executar esta mesma. Por último, era necessário o processo de awareness, portanto, precisamos de critérios de avaliação e, para isso, é importante definir estes mesmos para validar a investigação. Para responder a estes quatro objetivos específicos e ao objetivo geral da investigação foi criada a questão central do trabalho que é “Como efetuar o design de um processo de awareness para o Exército que reduza o impacto dos ataques de phishing executados através do seu sistema de e-mail?” Devido ao carácter teórico-prático desta investigação, foi decidido que o método de investigação seria o Hipotético-Dedutivo, e o método de procedimento seria o Estudo de Caso. Foi uma investigação exploratória, utilizando as técnicas de pesquisa bibliográfica e análise documental para executar uma revisão de literatura completa com o intuito de apoiar a investigação, como, também, fundamentar todo o trabalho de campo realizado. Para a realização deste estudo, foi necessário estudar a temática Segurança da Informação, já que esta suporta a investigação. Para existir segurança da informação é necessário que as propriedades da segurança da informação se mantenham preservadas, isto é, a confidencialidade, a integridade e a disponibilidade. O trabalho de campo consistiu em duas partes, a construção dos questionários e da apresentação de sensibilização e a sua aplicação e avaliação (outputs da investigação). Estes produtos foram usados na sessão de sensibilização através da aplicação do questionário de aferição seguido da apresentação de sensibilização, e terminando com o questionário de validação (processo de awareness). Conseguiu-se, após a sensibilização, através do processo de awareness, que os elementos identificassem com maior rigor os ataques de phishing. Para isso utilizou-se, na sensibilização, o método de ensino ativo, que incorpora boas práticas para a construção de produtos de sensibilização, utilizando os estilos de aprendizagem auditivo, mecânico e visual, que permite alterar comportamentos.
Resumo:
In recent years, there has been an enormous growth of location-aware devices, such as GPS embedded cell phones, mobile sensors and radio-frequency identification tags. The age of combining sensing, processing and communication in one device, gives rise to a vast number of applications leading to endless possibilities and a realization of mobile Wireless Sensor Network (mWSN) applications. As computing, sensing and communication become more ubiquitous, trajectory privacy becomes a critical piece of information and an important factor for commercial success. While on the move, sensor nodes continuously transmit data streams of sensed values and spatiotemporal information, known as ``trajectory information". If adversaries can intercept this information, they can monitor the trajectory path and capture the location of the source node. This research stems from the recognition that the wide applicability of mWSNs will remain elusive unless a trajectory privacy preservation mechanism is developed. The outcome seeks to lay a firm foundation in the field of trajectory privacy preservation in mWSNs against external and internal trajectory privacy attacks. First, to prevent external attacks, we particularly investigated a context-based trajectory privacy-aware routing protocol to prevent the eavesdropping attack. Traditional shortest-path oriented routing algorithms give adversaries the possibility to locate the target node in a certain area. We designed the novel privacy-aware routing phase and utilized the trajectory dissimilarity between mobile nodes to mislead adversaries about the location where the message started its journey. Second, to detect internal attacks, we developed a software-based attestation solution to detect compromised nodes. We created the dynamic attestation node chain among neighboring nodes to examine the memory checksum of suspicious nodes. The computation time for memory traversal had been improved compared to the previous work. Finally, we revisited the trust issue in trajectory privacy preservation mechanism designs. We used Bayesian game theory to model and analyze cooperative, selfish and malicious nodes' behaviors in trajectory privacy preservation activities.
Resumo:
Systems security is essential for the efficient operation of all organizations. Indeed, most large firms employ a designated ‘Chief Information Security Officer’ to coordinate the operational aspects of the organization’s information security. Part of this role is in planning investment responses to information security threats against the firm’s corporate network infrastructure. To this end, we develop and estimate a vector equation system of threats to 10 important IP services, using industry standard SANS data on threats to various components of a firm’s information system over the period January 2003 – February 2011. Our results reveal strong evidence of contagion between such attacks, with attacks on ssh and Secure Web Server indicating increased attack activity on other ports. Security managers who ignore such contagious inter-relationships may underestimate the underlying risk to their systems’ defence of security attributes, such as sensitivity and criticality, and thus delay appropriate information security investments.
Resumo:
The objective of this research is to identify the factors that influence the migration of free software to proprietary software, or vice-versa. The theoretical framework was developed in light of the Diffusion of Innovations Theory (DIT) proposed by Rogers (1976, 1995), and the Unified Theory of Acceptance and Use of Technology (UTAUT) proposed by Venkatesh, Morris, Davis and Davis (2003). The research was structured in two phases: the first phase was exploratory, characterized by adjustments of the revised theory to fit Brazilian reality and the identification of companies that could be the subject of investigation; and the second phase was qualitative, in which case studies were conducted at ArcelorMittal Tubarão (AMT), a private company that migrated from proprietary software (Unix) to free software (Linux), and the city government of Serra, in Espírito Santo state, a public organization that migrated from free software (OpenOffice) to proprietary (MS Office). The results show that software migration decision takes into account factors that go beyond issues involving technical or cost aspects, such as cultural barriers, user rejection and resistance to change. These results underscore the importance of social aspects, which can play a decisive role in the decision regarding software migration and its successful implementation.
Resumo:
Healthcare systems have assimilated information and communication technologies in order to improve the quality of healthcare and patient's experience at reduced costs. The increasing digitalization of people's health information raises however new threats regarding information security and privacy. Accidental or deliberate data breaches of health data may lead to societal pressures, embarrassment and discrimination. Information security and privacy are paramount to achieve high quality healthcare services, and further, to not harm individuals when providing care. With that in mind, we give special attention to the category of Mobile Health (mHealth) systems. That is, the use of mobile devices (e.g., mobile phones, sensors, PDAs) to support medical and public health. Such systems, have been particularly successful in developing countries, taking advantage of the flourishing mobile market and the need to expand the coverage of primary healthcare programs. Many mHealth initiatives, however, fail to address security and privacy issues. This, coupled with the lack of specific legislation for privacy and data protection in these countries, increases the risk of harm to individuals. The overall objective of this thesis is to enhance knowledge regarding the design of security and privacy technologies for mHealth systems. In particular, we deal with mHealth Data Collection Systems (MDCSs), which consists of mobile devices for collecting and reporting health-related data, replacing paper-based approaches for health surveys and surveillance. This thesis consists of publications contributing to mHealth security and privacy in various ways: with a comprehensive literature review about mHealth in Brazil; with the design of a security framework for MDCSs (SecourHealth); with the design of a MDCS (GeoHealth); with the design of Privacy Impact Assessment template for MDCSs; and with the study of ontology-based obfuscation and anonymisation functions for health data.
Resumo:
This paper analyzes the role of traders' priors (proper versus improper) on the implications of market transparency by comparing a pre-trade transparent market with an opaque market in a set-up based on Madhavan (1996). We show that prices may be more informative in the opaque market, regardless of how priors are modelled. In contrast, the comparison of market liquidity and volatility in the two market structures are affected by prior specification. Key words: Market microstructure, Transparency, Prior information
Resumo:
Audit report on the Wireless E911 Emergency Communication Fund of the Iowa Homeland Security and Emergency Management Division of the Iowa Department of Public Defense for the year ended June 30, 2006
Resumo:
Audit report on the Wireless E911 Emergency Communication Fund of the Iowa Homeland Security and Emergency Management Division of the Iowa Department of Public Defense for the year ended June 30, 2007
